Secure authentication protocol systems and methods

US 10,255,425 B2
Filed: 09/10/2018
Issued: 04/09/2019
Est. Priority Date: 09/25/2015
Status: Active Grant

First Claim

Patent Images

1. A system for transferring authentication protocols between a sensor and a platform, the system comprising:

an input device to, during a pre-boot session;

verify received data representative of a first authentication factor;

store the verified first authentication factor;

store a credential logically associated with a prior session; and

verify the prior session using a prior session credential, wherein the prior session credential is logically associated with an immediately previous post-boot environment that includes a defined change that includes incrementing or decrementing the immediately previous post-boot environment by a defined value; and

an authentication engine to, during a current post-boot session;

receive the prior session credential from the input device and verify the prior session credential using the verified first authentication factor; and

generate a current post-boot session credential that is logically associated with the current post-boot session.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An input device of a secure authentication protocol system may receive at least one user authentication factor in a pre-boot session. The input device may verify the received authentication factors and may store the verified authentication factors. During a post-boot session, the input device may communicate the verified authentication factor and a stored post-boot session credential received during a prior post-boot session to an authentication engine executing in a trusted execution environment. The authentication engine verifies the received post-boot session credential is logically associated with an immediately preceding post-boot session. Upon successful verification of the received post-boot session credential, the verified authentication factors or data indicative of a successfully verified authentication factor received during the pre-boot session are used in the current post-boot session.

146 Citations

25 Claims

1. A system for transferring authentication protocols between a sensor and a platform, the system comprising:
- an input device to, during a pre-boot session;
  
  verify received data representative of a first authentication factor;
  
  store the verified first authentication factor;
  
  store a credential logically associated with a prior session; and
  
  verify the prior session using a prior session credential, wherein the prior session credential is logically associated with an immediately previous post-boot environment that includes a defined change that includes incrementing or decrementing the immediately previous post-boot environment by a defined value; and
  
  an authentication engine to, during a current post-boot session;
  
  receive the prior session credential from the input device and verify the prior session credential using the verified first authentication factor; and
  
  generate a current post-boot session credential that is logically associated with the current post-boot session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, further comprising trusted execution environment circuitry to provide and execute the authentication engine.
  - 3. The system of claim 1 wherein the authentication engine is further to replace a prior post-boot session credential with the current post-boot session credential.
  - 4. The system of claim 3 wherein the authentication engine is further to provide user access to the current post-boot environment responsive to a successful verification of the prior post-boot session credential.
  - 5. The system of claim 3 wherein the authentication engine is further to request a second authentication factor responsive to an unsuccessful verification of the prior post-boot session credential.
  - 6. The system of claim 5 wherein the authentication engine is further to provide user access to the current post-boot session responsive to a successful verification of the second authentication factor.
  - 7. The system of claim 1 wherein the input device is further to receive data representative of a user-supplied first authentication factor.
  - 8. The system of claim 7 wherein the input device comprises at least one of:
    - a knowledge factor input device, a possession factor input device, an inherence factor input device, a location factor input device, or a time factor input device.
  - 9. The system of claim 1 wherein the prior session credential includes a nonce value previously supplied by the authentication engine to the input device.
  - 10. The system of claim 1 wherein the prior session credential includes a calculated value based at least in part on a known value previously supplied by the authentication engine to the input device.

11. An authentication method, comprising:
- during a pre-boot session;
  
  verifying, by an input device, a first authentication factor;
  
  storing, by the input device, the verified first authentication factor;
  
  storing, by the input device, a credential logically associated with a prior post-boot session; and
  
  verifying the prior post-boot session using a credential logically associated with an immediately previous post-boot environment that includes a defined change that includes incrementing or decrementing the immediately previous post-boot environment by a defined value; and
  
  during a current post-boot session;
  
  receiving, by an authentication engine, the prior post-boot session credential from the input device and verifying the prior post-boot session credential using the verified first authentication factor; and
  
  generating a current post-boot session credential that is logically associated with the current post-boot session.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 12. The method of claim 11 wherein verifying the prior post-boot session credential comprises verifying that the prior post-boot session credential includes at least one credential representative of an immediately preceding post-boot session.
  - 13. The method of claim 12 further comprising, during the current post-boot session, overwriting the prior post-boot session credential with the current post-boot session credential.
  - 14. The method of claim 11, further comprising causing at least one circuit to execute at least one machine-readable instruction set that causes the at least one circuit to provide at least a portion of the authentication engine via a trusted execution environment.
  - 15. The method of claim 11 further comprising, during the current post-boot session, generating a query via the authentication engine and providing the generated query to the input device, wherein the receiving by the authentication engine of the prior post-boot session credential from the input device is responsive to the providing of the generated query.
  - 16. The method of claim 11 further comprising receiving, during the pre-boot session, the first authentication factor from a user.
  - 17. The method of claim 16 wherein receiving the first authentication factor from the user comprises:
    - receiving, via the input device, at least one of;
      
      a knowledge factor, a possession factor, an inherence factor, a location factor, or a time factor.
  - 18. The method of claim 11, further comprising:
    - providing, via the authentication engine, user access to the current post-boot session responsive to successful verification of the first authentication factor.
  - 19. The method of claim 11, further comprising:
    - requesting, by the authentication engine, a second authentication factor responsive to an unsuccessful verification of the stored prior post-boot session credential; and
      
      verifying, by the authentication engine, the second authentication factor prior to providing user access to the current post-boot session.
  - 20. The method of claim 19 wherein requesting a second authentication factor comprises requesting, by the authentication engine, at least one of the first authentication factor or the second authentication factor.
  - 21. The method of claim 19 wherein verifying the second authentication factor comprises verifying, by the authentication engine, at least one of the first authentication factor or the second authentication factor.

22. An authentication system, comprising:
- means for verifying, during a pre-boot session, a first authentication factor;
  
  means for storing, during the pre-boot session, the verified first authentication factor;
  
  means for storing, during the pre-boot session, a credential logically associated with a prior post-boot session;
  
  means for verifying, during the pre-boot session, the prior post-boot session using a credential logically associated with an immediately previous post-boot environment that includes a defined change that includes incrementing or decrementing the immediately previous post-boot environment by a defined value;
  
  means for receiving, during a current post-boot session, the prior post-boot session credential;
  
  means for verifying, during the current post-boot session, the received prior post-boot session credential; and
  
  means for generating, during the current post-boot session, a credential that is logically associated with the post-boot session.
- View Dependent Claims (23)
- - 23. The system of claim 22 wherein verifying the received prior post-boot session credential comprises verifying that the prior post-boot session credential includes at least one credential logically associated with an immediately preceding post-boot session.

24. A storage device including machine-readable instructions that, when executed by one or more circuits, cause the one or more circuits to:
- during a pre-boot session;
  
  verify, via an input device, a first authentication factor;
  
  store, via the input device, the verified first authentication factor;
  
  store, via the input device, a credential logically associated with a prior post-boot session; and
  
  verify the prior post-boot session using a credential logically associated with an immediately previous post-boot environment that includes a defined change that includes incrementing or decrementing the immediately previous post-boot environment by a defined value; and
  
  during a current post-boot session;
  
  receive, by an authentication engine, the prior post-boot session credential from the input device and verifying the prior post-boot session credential using the verified first authentication factor; and
  
  generate a current post-boot session credential that is logically associated with the current post-boot session.
- View Dependent Claims (25)
- - 25. The storage device of claim 24, wherein the machine-readable instructions further cause the authentication engine to verify that the stored prior post-boot session credential includes at least one credential logically associated with an immediately preceding post-boot session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Raziel, Michael, Bhargav-Spantzel, Abhilasha, Khosravi, Hormuzd M.
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Saadoun, Hassan

Application Number

US16/126,342
Publication Number

US 20190034616A1
Time in Patent Office

211 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/40   by quorum, i.e. whereby two...

G06F 21/57   Certifying or maintaining t...

G06F 21/575   Secure boot

Secure authentication protocol systems and methods

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

146 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Secure authentication protocol systems and methods

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

146 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links